Broker Check

Data filtering profiles

 Data Filtering Profiles to prevent sensitive, confidential, and proprietary information from leaving your network. First, create a data pattern to define the information types for which you want the firewall to filter. Predefined patterns and built-in settings make it easy for you to create custom patterns for filtering on social security and credit card numbers or on file properties, such as a document title or author. Continue to add one or more data pattern to a Data Filtering profile and then attach the profile to a Security policy rule to enable data filtering.

If you’re using a third-party, endpoint data loss prevention (DLP) solution that populates file properties to indicate sensitive content, then data filtering enables the firewall to enforce your DLP policy. To secure this confidential data, create a custom data pattern to identify the file properties and values tagged by your DLP solution and then log or block the files that your Data Filtering profile detects based on that pattern.

  1. Define a new data pattern object to detect the information you want to filter.
    1. Select ObjectsCustom ObjectsData Patternsand Add a new object.
    2. Provide a descriptive Namefor the new object.
    3. (Optional) Select Sharedif you want the data pattern to be available to:
      • Every virtual system (vsys) on a multi-vsys firewall—If cleared (disabled), the data pattern is available only to the Virtual System selected in the Objects
      • Every device group on Panorama—If cleared (disabled), the data pattern is available only to the Device Group selected in the Objects
    4. (Optional—Panorama only) Select Disable overrideto prevent administrators from overriding the settings of this data pattern object in device groups that inherit the object. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the object.
    5. (Optional—Panorama only) Select Data Captureto automatically collect the data that is blocked by the filter.

Specify a password for Manage Data Protection on the Settings page to view your captured data (DeviceSetupContent-IDManage Data Protection).

  1. Set the Pattern Typeto one of the following:
    • Predefined—Filter for credit card and social security numbers.
    • Regular Expression—Filter for custom data patterns.
    • File Properties—Filter based on file properties and the associated values.
  2. Adda new rule to the data pattern object.
  3. Specify the data pattern according to the Pattern Typeyou selected for this object:
    • Predefined—Select the Name: either Credit Card Numbersor Social Security Numbers (with or without dash separator).
    • Regular Expression—Specify a descriptive Name, select the File Type(or types) you want to scan, and then enter the specific Data Pattern you want the firewall to detect.
    • File Properties—Specify a descriptive Name, select the File Typeand File Property you want to scan, and enter the specific Property Value that you want the firewall to detect.
  4. Click OKto save the data pattern.
  1. Add the data pattern object to a data filtering profile.
    1. Select ObjectsSecurity ProfilesData Filteringand Add or modify a data filtering profile.
    2. Adda new profile rule and select the Data Pattern you created in Step 1 .
    3. Specify ApplicationsFile Types, and what Directionof traffic (upload or download) you want to filter based on the data pattern.

The file type you select must be the same file type you defined for the data pattern in Step 1 or it must be a file type that includes the data pattern file type. For example, you could define both the data pattern object and the data filtering profile to scan all Microsoft Office documents. Or, you could define the data pattern object to match to only Microsoft PowerPoint Presentations while the data filtering profile scan all Microsoft Office documents.

If a data pattern object is attached to a data filtering profile and the configured file types do not align between the two, the profile will not correctly filter documents matched to the data pattern object.

  1. Set the Alert Thresholdto specify the number of times the data pattern must be detected in a file to trigger an alert.
  2. Set the Block Thresholdto block files that contain at least this many instances of the data pattern.
  3. Set the Log Severityrecorded for files that match this rule.
  4. Click OKto save the data filtering profile.
  1. Apply the data filtering settings to traffic.
    1. Select PoliciesSecurityand Add or modify a security policy rule.
    2. Select Actionsand set the Profile Type to Profiles.
    3. Attach the Data Filtering profile you created in Step 2to the security policy rule.
    4. Click OK.
  2. (Recommended) Prevent web browsers from resuming sessions that the firewall has terminated.

This option ensures that when the firewall detects and then drops a sensitive file, a web browser cannot resume the session in an attempt to retrieve the file.

  1. Select DeviceSetupContent-IDand edit Content-ID Settings.
  2. Clear the Allow HTTP header range option.
  3. Click OK.
  1. Monitor files that the firewall is filtering.

Select MonitorData Filtering to view the files that the firewall has detected and blocked based on your data filtering settings.